Don't Speak Wookiee to the Board

January 18, 2019  Chelsea Brunson

We all know how Star Wars starts:

“A long time ago in a galaxy far, far away....”

It’s an intergalactic battle between good and evil.

Star Wars without Han Solo?

But what if Han Solo wasn’t in the movie? There are immediate consequences:

  • No love story
  • No friendly rivalry
  • No comedic relief

But most importantly, we wouldn’t have someone who understands Chewbacca.

You’re probably sitting there wondering where we are going with this. Based on our work in the infosec world and speaking with CISOs daily – many organizations appear to be like Star Wars without Han Solo.

Some CISOs today are like Chewbacca walking into a board meeting with his crossbow in hand, trying to explain a technical report, written in Wookiee, about the company's overall risk exposure to the evil Empire. We imagine the meeting going as follows:

Chewbacca: "The Empire has scary new threat capabilities that can take advantage of the 1,500 vulnerabilities of our Rebel Alliance systems. It's really, really bad! I need $1.5 million to buy this security tool. If I don't get it, we might lose the war and it'll be your fault", as he waves his crossbow around and points to the report.

What the board hears: "Raaawwwrrr, threats...raaawwwrrr....vulnerabilities... whaaaa....need money...raaaaaaaarr... your fault...whaaaa."

This use of "fear, uncertainty and doubt" has been powerful on executives. Unfortunately, what CISOs have discovered is that those tactics aren’t effective anymore. Boards are understanding that our shields aren't disabling, and are questioning what value security investments provide.

Translating Wookiee into business speak

Now, imagine the same scenario but with Han Solo, a smuggler (who speaks in dollars and cents and understands Wookiee), articulating the same analysis in business and financial terms.

Han Solo: "We are not well equipped to counter the Empire's new threat capabilities. We have to do something as the risk we face this year exceeds our risk appetite by over $75m. I found this security solution which has an 80% probability to reduce our annual loss exposure by approximately $80-100 million and that will cost us $1.5m. The cost/benefit analysis is clear. Do I have your approval to proceed?"

This time the board hears what is being said. Enabling them to understand their overall loss exposure to the Empire, define their risk appetite and make cost-effective decisions.

But the question is, "How do you go from speaking Wookiee to a language that the business can understand?"

It starts by adopting a model that allows for all the information security professionals within the Rebel Alliance to speak uniformly about risk. One such model is Factor Analysis of Information Risk (FAIR), the standard quantitative model for information security and operational risk, which is gaining intergalactic acceptance.

Han Solo and Princess Leia embrace

Once the model is decided upon, then there needs to be a tool which allows for the model to be leveraged for financially-driven enterprise-level analyses.

An example is the  RiskLens  Cyber Risk Quantification application, which is purpose-built on FAIR. This enables CISOs to transform from Chewbacca into Han Solo by bridging the communication gap.

The platform integrates advanced quantitative risk analytics, best-practice cyber risk management workflows, loss data and more allowing you to become the resourceful and savvy, Han Solo of risk reporting.

Contact us if you want to make the transformation from an eight foot tall, hairy, technical speaking CISO to a business-aligned hero.

May the FAIR be with you.